Re: [OS-BUILD PATCH 0/2] random: Add hook to override device reads and getrandom(2)
From: Herbert Xu on gitlab.com https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2757#note_1611555983 Such modifications of /dev/random are unacceptable upstream and remain so. Thanks! ___ kernel mailing list -- kernel@lists.fedoraproject.org To unsubscribe send an email to kernel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/kernel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: [OS-BUILD PATCH 0/2] random: Add hook to override device reads and getrandom(2)
From: Don Zickus on gitlab.com https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2757#note_1611091360 @herbert.xu2 thanks! Is there a reason why this isn't pushed upstream and needs to be RHEL-only? (We ask on all RHEL-only patches). ___ kernel mailing list -- kernel@lists.fedoraproject.org To unsubscribe send an email to kernel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/kernel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[OS-BUILD PATCH] redhat/configs: share CONFIG_ARM64_ERRATUM_2966298 between rhel and fedora
From: Mark Salter redhat/configs: share CONFIG_ARM64_ERRATUM_2966298 between rhel and fedora This is enabled for both rhel and fedora, so make it common. Signed-off-by: Mark Salter diff --git a/redhat/configs/fedora/generic/arm/aarch64/CONFIG_ARM64_ERRATUM_2966298 b/redhat/configs/common/generic/arm/aarch64/CONFIG_ARM64_ERRATUM_2966298 rename from redhat/configs/fedora/generic/arm/aarch64/CONFIG_ARM64_ERRATUM_2966298 rename to redhat/configs/common/generic/arm/aarch64/CONFIG_ARM64_ERRATUM_2966298 index blahblah..blahblah 100644 --- a/redhat/configs/fedora/generic/arm/aarch64/CONFIG_ARM64_ERRATUM_2966298 +++ b/redhat/configs/common/generic/arm/aarch64/CONFIG_ARM64_ERRATUM_2966298 diff --git a/redhat/configs/rhel/generic/CONFIG_ARM64_ERRATUM_2966298 b/redhat/configs/rhel/generic/CONFIG_ARM64_ERRATUM_2966298 deleted file mode 100644 index blahblah..blahblah 0 --- a/redhat/configs/rhel/generic/CONFIG_ARM64_ERRATUM_2966298 +++ /dev/null @@ -1 +0,0 @@ -CONFIG_ARM64_ERRATUM_2966298=y -- https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2759 ___ kernel mailing list -- kernel@lists.fedoraproject.org To unsubscribe send an email to kernel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/kernel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Re: [OS-BUILD PATCH] configs: Remove S390 IOMMU config options that no longer exist
From: Daniel Horak on gitlab.com https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2758#note_1610566530 LGTM ___ kernel mailing list -- kernel@lists.fedoraproject.org To unsubscribe send an email to kernel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/kernel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[OS-BUILD PATCH] configs: Remove S390 IOMMU config options that no longer exist
From: Jerry Snitselaar configs: Remove S390 IOMMU config options that no longer exist S390_CCW_IOMMU and S390_AP_IOMMU no longer exist as config options upstream or in rhel, so remove them. # vgrep S390_CCW_IOMMU Index File Line Content 0 redhat/kernel.changelog-9.99 1470 - redhat/configs: Enable ... 1 redhat/configs/common/generic/s390x/CONFIG_S390_CCW_IOMMU1 CONFIG_S390_CCW_IOMMU=y # vgrep S390_AP_IOMMU Index File Line Content 0 redhat/configs/common/generic/s390x/CONFIG_S390_AP_IOMMU1 CONFIG_S390_AP_IOMMU=y Signed-off-by: Jerry Snitselaar diff --git a/redhat/configs/common/generic/s390x/CONFIG_S390_AP_IOMMU b/redhat/configs/common/generic/s390x/CONFIG_S390_AP_IOMMU deleted file mode 100644 index blahblah..blahblah 0 --- a/redhat/configs/common/generic/s390x/CONFIG_S390_AP_IOMMU +++ /dev/null @@ -1 +0,0 @@ -CONFIG_S390_AP_IOMMU=y diff --git a/redhat/configs/common/generic/s390x/CONFIG_S390_CCW_IOMMU b/redhat/configs/common/generic/s390x/CONFIG_S390_CCW_IOMMU deleted file mode 100644 index blahblah..blahblah 0 --- a/redhat/configs/common/generic/s390x/CONFIG_S390_CCW_IOMMU +++ /dev/null @@ -1 +0,0 @@ -CONFIG_S390_CCW_IOMMU=y -- https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2758 ___ kernel mailing list -- kernel@lists.fedoraproject.org To unsubscribe send an email to kernel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/kernel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[OS-BUILD PATCH 1/2] random: Add hook to override device reads and getrandom(2)
From: Herbert Xu
random: Add hook to override device reads and getrandom(2)
Upstream Status: RHEL only
Restore the changes to /dev/random which were reverted after 5.18.
This reverts commit 900f11e054896bae7b0146055698656e3d1e20a6.
This also brings the code up-to-date with respect to centos-stream
commit 9de3a7339793d3c516b9305a8854267156f90c53 so that changes that
were made after the kernel-ark revert have been brought in.
Signed-off-by: Herbert Xu
diff --git a/drivers/char/random.c b/drivers/char/random.c
index blahblah..blahblah 100644
--- a/drivers/char/random.c
+++ b/drivers/char/random.c
@@ -51,6 +51,7 @@
#include
#include
#include
+#include
#include
#include
#include
@@ -309,6 +310,11 @@ static void crng_fast_key_erasure(u8 key[CHACHA_KEY_SIZE],
memzero_explicit(first_block, sizeof(first_block));
}
+/*
+ * Hook for external RNG.
+ */
+static const struct random_extrng __rcu *extrng;
+
/*
* This function returns a ChaCha state that you may use for generating
* random data. It also returns up to 32 bytes on its own of random data
@@ -739,6 +745,9 @@ static void __cold _credit_init_bits(size_t bits)
}
+static const struct file_operations extrng_random_fops;
+static const struct file_operations extrng_urandom_fops;
+
/**
*
* Entropy collection routines.
@@ -956,6 +965,19 @@ void __init add_bootloader_randomness(const void *buf,
size_t len)
credit_init_bits(len * 8);
}
+void random_register_extrng(const struct random_extrng *rng)
+{
+ rcu_assign_pointer(extrng, rng);
+}
+EXPORT_SYMBOL_GPL(random_register_extrng);
+
+void random_unregister_extrng(void)
+{
+ RCU_INIT_POINTER(extrng, NULL);
+ synchronize_rcu();
+}
+EXPORT_SYMBOL_GPL(random_unregister_extrng);
+
#if IS_ENABLED(CONFIG_VMGENID)
static BLOCKING_NOTIFIER_HEAD(vmfork_chain);
@@ -1366,6 +1388,7 @@ SYSCALL_DEFINE3(getrandom, char __user *, ubuf, size_t,
len, unsigned int, flags
struct iov_iter iter;
struct iovec iov;
int ret;
+ const struct random_extrng *rng;
if (flags & ~(GRND_NONBLOCK | GRND_RANDOM | GRND_INSECURE))
return -EINVAL;
@@ -1377,6 +1400,21 @@ SYSCALL_DEFINE3(getrandom, char __user *, ubuf, size_t,
len, unsigned int, flags
if ((flags & (GRND_INSECURE | GRND_RANDOM)) == (GRND_INSECURE |
GRND_RANDOM))
return -EINVAL;
+ rcu_read_lock();
+ rng = rcu_dereference(extrng);
+ if (rng && !try_module_get(rng->owner))
+ rng = NULL;
+ rcu_read_unlock();
+
+ if (rng) {
+ ret = import_single_range(ITER_DEST, ubuf, len, , );
+ if (unlikely(ret))
+ return ret;
+ ret = rng->extrng_read_iter(, !!(flags & GRND_RANDOM));
+ module_put(rng->owner);
+ return ret;
+ }
+
if (!crng_ready() && !(flags & GRND_INSECURE)) {
if (flags & GRND_NONBLOCK)
return -EAGAIN;
@@ -1397,6 +1435,12 @@ static __poll_t random_poll(struct file *file,
poll_table *wait)
return crng_ready() ? EPOLLIN | EPOLLRDNORM : EPOLLOUT | EPOLLWRNORM;
}
+static __poll_t extrng_poll(struct file *file, poll_table * wait)
+{
+ /* extrng pool is always full, always read, no writes */
+ return EPOLLIN | EPOLLRDNORM;
+}
+
static ssize_t write_pool_user(struct iov_iter *iter)
{
u8 block[BLAKE2S_BLOCK_SIZE];
@@ -1538,7 +1582,58 @@ static int random_fasync(int fd, struct file *filp, int
on)
return fasync_helper(fd, filp, on, );
}
+static int random_open(struct inode *inode, struct file *filp)
+{
+ const struct random_extrng *rng;
+
+ rcu_read_lock();
+ rng = rcu_dereference(extrng);
+ if (rng && !try_module_get(rng->owner))
+ rng = NULL;
+ rcu_read_unlock();
+
+ if (!rng)
+ return 0;
+
+ filp->f_op = _random_fops;
+ filp->private_data = rng->owner;
+
+ return 0;
+}
+
+static int urandom_open(struct inode *inode, struct file *filp)
+{
+ const struct random_extrng *rng;
+
+ rcu_read_lock();
+ rng = rcu_dereference(extrng);
+ if (rng && !try_module_get(rng->owner))
+ rng = NULL;
+ rcu_read_unlock();
+
+ if (!rng)
+ return 0;
+
+ filp->f_op = _urandom_fops;
+ filp->private_data = rng->owner;
+
+ return 0;
+}
+
+static int extrng_release(struct inode *inode, struct file *filp)
+{
+ module_put(filp->private_data);
+ return 0;
+}
+
+static ssize_t
+extrng_read_iter(struct kiocb *kiocb, struct iov_iter *iter)
+{
+ return rcu_dereference_raw(extrng)->extrng_read_iter(iter, false);
+}
+
const struct file_operations random_fops = {
+ .open = random_open,
.read_iter = random_read_iter,
.write_iter = random_write_iter,
.poll =
[OS-BUILD PATCH 0/2] random: Add hook to override device reads and getrandom(2)
From: Herbert Xu on gitlab.com Merge Request: https://gitlab.com/cki-project/kernel-ark/-/merge_requests/2757 Upstream Status: RHEL only Restore the changes to /dev/random which were reverted after 5.18. This reverts commit 900f11e054896bae7b0146055698656e3d1e20a6 and 297bcb88233101e8d5062729ff3a5f989bad1c3b. This also brings the code up-to-date with respect to centos-stream commit 9de3a7339793d3c516b9305a8854267156f90c53 so that changes that were made after the kernel-ark revert have been brought in. Signed-off-by: Herbert Xu --- crypto/drbg.c | 18 - crypto/rng.c | 149 +++- drivers/char/random.c | 122 include/linux/crypto.h |1 + include/linux/random.h | 10 +++ 5 files changed, 281 insertions(+), 19 deletions(-) ___ kernel mailing list -- kernel@lists.fedoraproject.org To unsubscribe send an email to kernel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/kernel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[OS-BUILD PATCH 2/2] crypto: rng - Override drivers/char/random in FIPS mode
From: Herbert Xu
crypto: rng - Override drivers/char/random in FIPS mode
Upstream Status: RHEL only
Restore the changes to use the crypto RNG in drivers/char/random
which were reverted after 5.18.
This reverts commit 297bcb88233101e8d5062729ff3a5f989bad1c3b.
This also brings the code up-to-date with respect to centos-stream
commit 9de3a7339793d3c516b9305a8854267156f90c53 so that changes that
were made after the kernel-ark revert have been brought in.
Signed-off-by: Herbert Xu
diff --git a/crypto/drbg.c b/crypto/drbg.c
index blahblah..blahblah 100644
--- a/crypto/drbg.c
+++ b/crypto/drbg.c
@@ -1510,13 +1510,14 @@ static int drbg_generate(struct drbg_state *drbg,
* Wrapper around drbg_generate which can pull arbitrary long strings
* from the DRBG without hitting the maximum request limitation.
*
- * Parameters: see drbg_generate
+ * Parameters: see drbg_generate, except @reseed, which triggers reseeding
* Return codes: see drbg_generate -- if one drbg_generate request fails,
* the entire drbg_generate_long request fails
*/
static int drbg_generate_long(struct drbg_state *drbg,
unsigned char *buf, unsigned int buflen,
- struct drbg_string *addtl)
+ struct drbg_string *addtl,
+ bool reseed)
{
unsigned int len = 0;
unsigned int slice = 0;
@@ -1526,6 +1527,8 @@ static int drbg_generate_long(struct drbg_state *drbg,
slice = ((buflen - len) / drbg_max_request_bytes(drbg));
chunk = slice ? drbg_max_request_bytes(drbg) : (buflen - len);
mutex_lock(>drbg_mutex);
+ if (reseed)
+ drbg->seeded = DRBG_SEED_STATE_UNSEEDED;
err = drbg_generate(drbg, buf + len, chunk, addtl);
mutex_unlock(>drbg_mutex);
if (0 > err)
@@ -1952,6 +1955,7 @@ static int drbg_kcapi_random(struct crypto_rng *tfm,
struct drbg_state *drbg = crypto_rng_ctx(tfm);
struct drbg_string *addtl = NULL;
struct drbg_string string;
+ int err;
if (slen) {
/* linked list variable is now local to allow modification */
@@ -1959,7 +1963,15 @@ static int drbg_kcapi_random(struct crypto_rng *tfm,
addtl =
}
- return drbg_generate_long(drbg, dst, dlen, addtl);
+ err = drbg_generate_long(drbg, dst, dlen, addtl,
+(crypto_tfm_get_flags(crypto_rng_tfm(tfm)) &
+ CRYPTO_TFM_REQ_NEED_RESEED) ==
+CRYPTO_TFM_REQ_NEED_RESEED);
+
+ crypto_tfm_clear_flags(crypto_rng_tfm(tfm),
+ CRYPTO_TFM_REQ_NEED_RESEED);
+
+ return err;
}
/*
diff --git a/crypto/rng.c b/crypto/rng.c
index blahblah..blahblah 100644
--- a/crypto/rng.c
+++ b/crypto/rng.c
@@ -12,10 +12,13 @@
#include
#include
#include
+#include
#include
#include
#include
#include
+#include
+#include
#include
#include
#include
@@ -23,7 +26,9 @@
#include "internal.h"
-static DEFINE_MUTEX(crypto_default_rng_lock);
+static cacheline_aligned_in_smp DEFINE_MUTEX(crypto_reseed_rng_lock);
+static struct crypto_rng *crypto_reseed_rng;
+static cacheline_aligned_in_smp DEFINE_MUTEX(crypto_default_rng_lock);
struct crypto_rng *crypto_default_rng;
EXPORT_SYMBOL_GPL(crypto_default_rng);
static int crypto_default_rng_refcnt;
@@ -136,31 +141,37 @@ struct crypto_rng *crypto_alloc_rng(const char *alg_name,
u32 type, u32 mask)
}
EXPORT_SYMBOL_GPL(crypto_alloc_rng);
-int crypto_get_default_rng(void)
+static int crypto_get_rng(struct crypto_rng **rngp)
{
struct crypto_rng *rng;
int err;
- mutex_lock(_default_rng_lock);
- if (!crypto_default_rng) {
+ if (!*rngp) {
rng = crypto_alloc_rng("stdrng", 0, 0);
err = PTR_ERR(rng);
if (IS_ERR(rng))
- goto unlock;
+ return err;
err = crypto_rng_reset(rng, NULL, crypto_rng_seedsize(rng));
if (err) {
crypto_free_rng(rng);
- goto unlock;
+ return err;
}
- crypto_default_rng = rng;
+ *rngp = rng;
}
- crypto_default_rng_refcnt++;
- err = 0;
+ return 0;
+}
+
+int crypto_get_default_rng(void)
+{
+ int err;
-unlock:
+ mutex_lock(_default_rng_lock);
+ err = crypto_get_rng(_default_rng);
+ if (!err)
+ crypto_default_rng_refcnt++;
mutex_unlock(_default_rng_lock);
return err;
@@ -176,24 +187,33 @@ void crypto_put_default_rng(void)
EXPORT_SYMBOL_GPL(crypto_put_default_rng);
#if defined(CONFIG_CRYPTO_RNG) || defined(CONFIG_CRYPTO_RNG_MODULE)
-int crypto_del_default_rng(void)
+static int
